Data Breaches in the Cloud: Who's Responsible?

The cloud multiplier effect means data breaches in the cloud are increasing -- and becoming more costly. With so many states and localities opting to host their data there, what happens when breaches occur?

The risk of a data breach in the cloud is multiplying and is now costlier and happens more frequently, according to a recent study by the Ponemon Institute.

But this phenomenon, which is dubbed the cloud multiplier effect, can be mitigated by a strengthened security posture, according to Larry Ponemon, chairman of the Ponemon Institute.

"It's funny, I'm a big believer in the cloud," Ponemon said. "I like cloud and I think cloud [has] improved quite a bit from a security perspective."

Cloud computing is not necessarily less secure, Ponemon said, but that is the perception among many of the study's respondents who view on-premises data breach as easier to control and less costly as a result.

"It's kind of a level of complexity you are adding because now you're relying on a third party to do the right steps," Ponemon said.

The fact that many cloud environments are secure is a sentiment echoed by several government CIOs who commented on the security of and possibility of a breach within their own cloud environments. "From what I know, and certainly from a mid-size city characteristic, the reputable cloud vendors have better security than we have," said Michael Armstrong, CIO of Corpus Christi, Texas.

Still, there are notes of cloud security pessimism from IT officials and security practitioners throughout the study,Data Breach: The Cloud Multiplier Effect, published in June. For instance, 66 percent of respondents said their organization's use of a cloud resource diminishes its ability to protect confidential sensitive information, according to the study, sponsored by Netskope.

The study published and commented on the responses from 613 IT practitioners on questions related to cloud security, including who is responsible for a breach after it happens.

Although it's impossible to know the motivations of the study's respondents, Ponemon said he suspects their mixed view of cloud security is itself a mix of truth and perception.

Cloud Security

Ponemon said he understands some of the study's negativity because he's seen data breach research on public cloud providers not taking the appropriate security steps and breaches occurring. But, he said, few of this study's respondents reported breaches of their own.

One security gamble when moving to the cloud is the data owner's loss of control. Ponemon said that when an organization owns its own data center, security staff can observe and control Internet traffic easily and configure firewalls to its liking. Visibility, he said, is a core issue to security.

"Not having that ability, that visibility, makes it very hard for the company that's entrusting the cloud provider to make sure that all these steps are being taken properly," Ponemon said.

Although organizations can mitigate or reduce the risk of a breach by vetting cloud provider security practices and conducting audits of the data stored in the cloud, the majority of companies are not conducting these practices, according to the study. One reason is that the procurement process may be happening outside of IT's purview, Ponemon said.

Pennsylvania, which is in the process of unifying its seven data centers with a Unisys hybrid cloud, included in its contract the flexibility to personally conduct audits or have regulatory agencies conduct them, said Tony Encinias, CIO of Pennsylvania. "We need to make sure we satisfy the requirements," he said, "and we also need to make sure that we're doing it smart."

But when organizations don't take extra steps to ensure the cloud is secure, this feeds into the cloud multiplier effect, Ponemon said. Also contributing to the effect: the number of mobile and other devices accessing the cloud; increased cloud dependency; and lack of visibility about what's in the cloud, which may put sensitive or confidential information at risk, according to the study.

Increasing the backup and storage of sensitive or confidential information in the cloud also tops a list of nine scenarios as most costly in a data breach, according the study.

Corpus Christi's Armstrong said he believes the cloud multiplier effect can be diminished. "I think you can mitigate that by being very careful about where you put your stuff." He said he's especially careful about the arrangements he makes with core business applications in cloud environments.

Survey Stats at a Glance

66 percent of respondents said their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information.

62 percent said they believed the cloud services in use by their organizations are not thoroughly vetted for security before being used.

71 percent said they would not receive immediate notifications involving the loss or theft of customer data.

51 percent said on-premises IT is equally or less secure than cloud-based services.

55 percent responded that they don't believe their IT leader is responsible for ensuring their information is secure.

Corpus Christi has had some major business applications in the cloud for five years, including the full Infor Lawson suite of applications in the Infor Business Cloud. Armstrong said there is sensitive information he won't store in the cloud now, though he will likely reconsider in the next decade since cloud vendors are getting more reliable and secure.

Although there is some distrust surrounding security in the cloud, 51 percent of respondents in the study answered that on-premises IT is equal to or less secure than cloud-based services.

"There are things that make the cloud very, very secure. You just have to be careful and have some vigilance," Ponemon said.

King County, Wash., has platforms in place to cover the three areas of cloud computing -- IaaS (infrastructure as a service) with Amazon and DLT, PaaS (platform as a service) with Microsoft CRM, and Office 365 and SaaS (software as a service) with the county's prosecuting attorneys case management system.

Each cloud project was held to the county's security and audit requirements, and had to get clearance from the county's team, including risk managers, prosecuting attorneys, Health Insurance Portability and Accountability Act and criminal justice information services security specialists, an IT security officer, and procurement and contracts officers.

Bill Kehoe, CIO of King County, said he takes time to educate his staff about cloud environments and their risks. "I think you've got to be careful," he said. "You can't just throw your data into any cloud environment."

That's one reason why the county contracts with established cloud vendors, like Amazon and Microsoft, he said, adding that security staff, standard cloud architecture, security controls and diverse audits all figure into the security of larger cloud environments.

In the Event of a Breach

According to the study, there is a general feeling that outside forces, not internal security, are to be relied on to protect data in the cloud. That's because 55 percent of practitioners responded that they don't believe their IT leader is responsible for ensuring their information is secure.

"I would submit that it's everyone's responsibility to ensure the safety of the data in the cloud." Encinias said. "It's the service provider's responsibility, it's the data owner's responsibility and, as the commonwealth of Pennsylvania CIO, I'm also definitely responsible."

Though with responsibility distributed, this also makes the terms and conditions with cloud services more difficult to agree on because two parties must decide which will pay and when, said Encinias.

For Pennsylvania's recently executed contract with Unisys, which took four to five months to put together, it states that the cloud provider must offer certain information during a breach and must also help facilitate mitigation. In the case of a breach, responsibility is declared after an analysis, Encinias said.

And once a breach occurs, everything circles back to indemnification, or the protection from having to pay for another's negligence, Corpus Christi's Armstrong said. Indemnification appears in contracts, but cloud users are also protected by regulatory penalties and laws.

"The element of risk that you bear is defined in your contract documents," Armstrong said, "so it really pays, whatever time it takes, to get that right."

King County's Kehoe said he's finding that who is responsible and to what tune varies depending on the cloud environment and what portion of the technology stack the vendor is responsible for. Since breaches are costly, he said this nuance is important for his staff to understand.

"The cloud is so new to government that our security, risk management and legal council need to better understand the risks and how the contracts need to be different in terms of indemnification language for each of the cloud environments," he said.

For instance, IaaS and PaaS can present challenges in parsing responsibility because risk and responsibility are more shared. Whereas with SaaS, the vendor owns everything but the data.

Along with deciding who is responsible for a breach, there also are questions surrounding timely breach notifications from cloud service providers. The survey reports that 71 percent of respondents fear their provider would not immediatelynotify their organization in a loss or theft of customer data.

Timely notification can be a problem, Ponemon said, along with whether stolen or lost data is discovered by the cloud provider.

Notification of a breach is a contract element, and monitoring data and suspicious activity is the responsibility of the hosting company, Armstrong said. But a lot also depends on the relationship between the vendor and the purchaser.

"At some point you've got to develop a level of trust that they have your interest in mind and that they're going to do the right thing," he said. "If you selected a good partner, if there is a data breach, you'll be able to work through that and understand the root cause of it."

Cloud Considerations

To help with the indemnification and communication questions, many governments, including Corpus Christi, are covering themselves with data breach insurance that protects governments from things like notification costs and federal penalties, which are levied before responsibility is declared.

"None of this stuff is really straightforward yet, so you've got to protect yourself," Armstrong said.

Indeed, the market for insurance is on the rise, with an adoption rate of about 30 percent, Ponemon said. Companies with good security practices are likelier to hold such insurance, according to another Ponemon Institute study quantifying the cost of a data breach.

Options like insurance can protect municipalities that may not have the right tools or resources in a data breach, Ponemon said.

And if going with cloud makes sense, Ponemon suggests organizations make the decision looking at the whole picture: "Make sure it's not just a cost decision, that it's based on cost, quality, the ability to deploy quickly. All of that good stuff should be determined in advance. Then I think it would be, in many cases, a big improvement for government organizations.

"The key," he added, "is if you're going to do cloud, just do it safely."